ModSecurity Block invalid host referer

Question

I need a rule to block all POST requests to wp-login.php,
But I need to check if the referer domain is equal to requested domain name
We need to check such things:

check for requested domain value (example: sitename1.com)
check for referer domain value (example: sitename1.com)
if requested domain is equal to referer domain
if request is POST
if requested file is wp-login.php

I have the following code to check the referer but I need to check the domain in referer too

#Block WP logins with no referring URL
<Locationmatch "/wp-login.php">
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>

in this case I can check the visitor completely and ensure he is a human appreciate for any help

score 1 · Accepted Answer · answered May 24 '21 at 12:21

1

I'm not sure I understand your question, but may be this chained rule will help you:

SecRule &REQUEST_HEADERS:Referer "!@eq 0" \
    "id:5000130,\
    phase:1,\
    t:none,\
    deny,\
    status:401,\
    chain,\
    msg:'wp-login request blocked, no referer'"
    SecRule REQUEST_URI "@beginsWith /wp-login.php" \
        "chain"
        SecRule REQUEST_METHOD "@streq POST" \
            "chain"
            SecRule REQUEST_HEADERS:Host "@rx .*" \
                "capture,\
                chain"
                SecRule REQUEST_HEADERS:Referer "@streq %{TX.0}"

Please keep it mind:

this chained rule works only if the Referer header is set
the Host header must also exists

May be you need an another chained rule, which checks the existence of Referer header, if the URI is /wp-login, but I think based on the rule above you can produce it.

answered May 24 '21 at 12:21

airween

6,203
1
14
20

Thank you so much, just i think the captured string is host but you are trying to compare referer url – Farhad Sakhaei May 24 '21 at 15:53
We need to compare referer domain , not referer url|uri – Farhad Sakhaei May 24 '21 at 15:54
Feel free to replace the rule as you want. – airween May 24 '21 at 19:36
I will try and test then add the final rules, thank you – Farhad Sakhaei May 24 '21 at 19:54
1

You should change the argument of the `@rx` operator to `http(|s):\/\/([^:\/]+)(:(\d)|\/).*`, and the `%{TX.0}` to `%{TX.2}`. In this case, the engine will compare the `Host` header with the host part of `Referer`. I think this is what you need. – airween May 25 '21 at 19:03
Or may be using `@contains` operator? `SecRule REQUEST_HEADERS:Referer "@contains %{SERVER_NAME}"` , is it possible? – Farhad Sakhaei May 25 '21 at 19:16
I'm not sure `%{SERVER_NAME}` is valid. The `%{}` notation is used for macros, and the engine can expand it, but I'm afraid there is no such macro - feel free to check it. Btw, here is the documentation: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#Macro_Expansion. – airween May 26 '21 at 04:41

ModSecurity Block invalid host referer

1 Answers1